Malicious Go Libraries Mimic as Google UUID to Exfiltrate User Data

The Socket Threat Research Team has uncovered two malicious Go packages that have been impersonating legitimate Google libraries for years to steal sensitive user data.

The packages, github[.]com/bpoorman/uuid and github[.]com/bpoorman/uid, utilize typosquatting to trick developers into downloading them instead of the trusted google/uuid and pborman/uuid libraries.

class="wp-block-image size-full">

First published in May 2021, github[.]com/bpoorman/uuid has remained live in the Go ecosystem for over four years.

The package imitates the structure and API of the widely used legitimate libraries, which are the de facto standard for generating unique identifiers in Go applications.

Because the malicious package preserves the expected UUID behavior, it functions normally for most operations, making it difficult for developers who only perform a quick visual scan of their dependencies to detect.

How the Attack Works

The threat actor behind the bpoorman GitHub alias introduced a backdoor through a hidden function named Valid.

While the name suggests a standard validation check mimicking the legitimate Validate helper, it actually serves as an exfiltration tool.

When a developer calls this function, it aggregates the supplied data, encrypts it using AES CFB with a hardcoded key, and silently uploads the payload to dpaste.com, a public pastebin-style service.

The exfiltration occurs via HTTPS using a hardcoded bearer token.

The danger lies in the function’s ambiguity. Suppose a developer passes sensitive information such as session tokens, user IDs, or email addresses to Valid, believing it is checking data integrity.

In that case, that information is immediately encrypted and sent to the attacker.

At the time of discovery, github[.]com/bpoorman/uuid was still listed on pkg.go.dev, the central Go package discovery site.

While the second package, github[.]com/bpoorman/uid, has been removed from the discovery site, it remains accessible via the public Go module mirror (proxy.golang.org), where it has been cached since 2021.

Unlike npm or PyPI, the Go ecosystem does not provide public download statistics, making it impossible to determine exactly how many systems have been compromised.

However, the “Imported by: 0” metric on the package site only reflects public open-source usage, leaving private corporate repositories and internal tools as potential invisible victims.

Security experts recommend that all Go developers immediately audit their go.mod files for references to bpoorman.

Teams should treat every new dependency as untrusted, specifically looking for “typosquats” that mimic core utilities.

Because the exfiltration happens within build pipelines and application logic, a single mistake could leak long-lived credentials or signing keys.

Socket has reported both packages to the Go security team and requested the suspension of the publisher’s GitHub account to prevent further spread.

Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates

The post Malicious Go Libraries Mimic as Google UUID to Exfiltrate User Data appeared first on Cyber Security News.